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Executive Summary 


80% of health data remains unstructured and untapped after it is created.‘ We 
need decisive EU action to harmonise conditions for health-data processing 
across Member States. This is fundamental to creating a Common European 
Health Data Space. COVID-19, for example, has reminded us that access to 
health data for scientific research is still subject to various rules and 
interpretations in the EU. 


The European Union is best placed to show global leadership with its strong data 
protection rules such as the GDPR and experience in driving a single market of 
27 connected health ministries in the Member States. It needs to accelerate data 
sharing across borders and to address fragmentation to boost health innovation. 


DIGITALEUROPE recommends to: 


» Create an EU Code of Conduct on the primary and secondary use of 
health data 


» Harmonise different Member State rules governing health data to include: 


= Establishing a one-stop-shop in each Member State to facilitate 
the secondary use of health data while preserving patient trust 


= Issuing EDPB guidance on GDPR interpretation by national Data 
Protection Authorities (DPAs) 


= Aligning local and national healthcare regulations with the GDPR 
to remove inconsistencies, fragmentation and accelerate vital 
data-driven delivery of care and cross-border research 


1 Kong, Hyoun-Joong. (2019). Managing Unstructured Big Data in Healthcare System. Healthcare 
Informatics Research. 
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Please find below more details on our recommendations. Our members stand 
ready to discuss and share our expertise and experiences. 


A Code of Conduct on the primary and secondary 
use of health data 


The EU has the opportunity to demonstrate leadership on public health 

challenges if it can remove all barriers to health data flows in the Single Market. 
Vaccines to cross-border threats like COVID-19, cures for rare diseases and Al- 
powered diagnostic systems all depend on access to an individual’s health data. 


We urge Member States to move beyond consent as a legal basis for primary 
and secondary uses. Authorities must recognise that other legal bases offer valid 
opportunities to speed up health solutions for pressing social needs and 
overcome longstanding data problems. Restrictive interpretations of public 
interest are hindering medical device real-time access to data for delivery of care. 
Similarly, in consent-based EU countries, legacy data issues such as patient 
death or the lack of a direct researcher-patient communication line are slowing 
down medical research and development. 


We stand for the creation of an EU Code of Conduct on the processing of 
genetic, biometric, or health data that includes: 


» Public interest as legal basis for circumstances in Article 9.2 of the 
GDPR. The Code should also give a common interpretation of what is 
considered “public interest” by national authorities across the EU. The 
COVID-19 crisis shows us health data collection is crucial for real-time 
tracking of disease transmission, epidemiological research or discovery 
and identification of treatment options. Unduly restrictive Member State 
interpretations of public interest prevent hospitals from sharing important 
data that can help saving lives. 


» Common, acceptable de-identification and anonymisation levels for 
each specific circumstance. They could pave the way for a “relative” 
anonymisation approach, where traceability back to the source records 
comes without increased risks of patient re-identification. 


» An opt-out model for secondary use of data in research fields with 
higher patient identification sensitivities. This model would suit areas 
like rare diseases, genomes and personalised medicine, with higher re- 
identification risks than normal and where complete de-identification may 
impact the successful research outcome. A robust ethical and security 
framework would build necessary patient trust in this model and 
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guarantee that vital identifiable data for research progress is handled 
properly. It would entail patient rights to actively object to their data being 
processed. Consent in this model should be, if required, an additional 
“ethical” safeguard, rather than the main legal basis for processing. 


Harmonisation of rules and their interpretations 


Other decisive actions should complement the creation of a Code of Conduct. Today, 
companies must navigate a patchwork of local and national regulations to process 
health data in the EU. Adding to that, Member States have different interpretations of 
the GDPR on aspects such as legitimate interest or consent for primary or secondary 
use. 


Legal uncertainty ensues from this fragmented picture. Companies miss key 
opportunities to access and share data to address vital public health challenges. 


» We welcome the aim of the European Data Protection Board (EDPB) to 
issue guidance on health data-processing in the context of COVID-19. 
But the scope of the document should expand beyond health data 
processing for scientific and research purposes. Processing of health 
data in non-research circumstances must be clarified too for healthcare 
companies and hospitals to unlock new treatment opportunities. Real- 
time understanding of the disease’s patterns, monitoring oxygen levels for 
immediate medical care or diagnosing COVID-19 from chest X-rays are 
just a few examples. 


We also urge: 


» The EDPB to give guidelines on GDPR interpretation by national Data 
Protection Authorities (DPAs). It should give a common understanding of 
public interest, legitimate interest, consent and the compatibility of 
primary and secondary use of data, which are key to speed up healthcare 
innovation. 


» Member States to establish a one-stop-shop to facilitate the 
secondary use of health data. Finland’s Act on the Secondary Use of 
Health and Social Data 552/20192is a positive example. Other EU 
countries should replicate it. Based on patient trust, it set up a centralised 
authority to handle all data requests for research. 


» Member States to remove inconsistencies and fragmentation in local 
and national healthcare regulations. It is fundamental to align these 
rules with data protection provisions at EU level and harmonise as much 
as possible the regulatory landscape. Data must flow freely across 


2 More info here 
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borders if we want to find solutions to Europe’s largest public health 
challenges and create a successful Common European Health Data 
Space. 


FOR MORE INFORMATION, PLEASE CONTACT: 


hh Ray Pinto 


Digital Transformation Policy Director 


ray.pinto@digitaleurope.org / +32 472 55 84 02 


àa Vincenzo Renda 
Senior Policy Manager for Digital Industrial Transformation 


vincenzo.renda@digitaleurope.org / +32 490 11 42 15 
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About DIGITALEUROPE 


DIGITALEUROPE represents the digital technology industry in Europe. Our members include 
some of the world’s largest IT, telecoms and consumer electronics companies and national 
associations from every part of Europe. DIGITALEUROPE wants European businesses and 
citizens to benefit fully from digital technologies and for Europe to grow, attract and sustain the 
world’s best digital technology companies. DIGITALEUROPE ensures industry participation in 
the development and implementation of EU policies. 


DIGITALEUROPE Membership 


Corporate Members 


Airbus, Amazon, AMD, Apple, Arçelik, Bayer, Bosch, Bose, Bristol-Myers Squibb, Brother, Canon, Cisco, 
DATEV, Dell, Dropbox, Epson, Ericsson, Facebook, Fujitsu, Google, Graphcore, Hewlett Packard 
Enterprise, Hitachi, HP Inc., HSBC, Huawei, Intel, Johnson & Johnson, JVC Kenwood Group, Konica 
Minolta, Kyocera, Lenovo, Lexmark, LG Electronics, MasterCard, METRO, Microsoft, Mitsubishi Electric 
Europe, Motorola Solutions, MSD Europe Inc., NEC, Nokia, Nvidia Ltd., Océ, Oki, Oracle, Palo Alto 
Networks, Panasonic Europe, Philips, Qualcomm, Red Hat, Ricoh Europe PLC, Rockwell Automation, 
Samsung, SAP, SAS, Schneider Electric, Sharp Electronics, Siemens, Siemens Healthineers, Sony, Swatch 
Group, Tata Consultancy Services, Technicolor, Texas Instruments, Toshiba, TP Vision, UnitedHealth 
Group, Visa, VMware, Xerox. 


National Trade Associations 


Austria: IOÖ 

Belarus: INFOPARK 
Belgium: AGORIA 
Croatia: Croatian 
Chamber of Economy 
Cyprus: CITEA 

Denmark: DI Digital, IT 
BRANCHEN, Dansk Erhverv 
Estonia: ITL 

Finland: TIF 

France: AFNUM, Syntec 
Numérique, Tech in France 


Germany: BITKOM, ZVEI 
Greece: SEPE 

Hungary: IVSZ 

Ireland: Technology Ireland 
Italy: Anitec-Assinform 
Lithuania: INFOBALT 
Luxembourg: APSI 
Netherlands: Nederland ICT, 
FIAR 

Norway: Abelia 

Poland: KIGEIT, PIIT, ZIPSEE 
Portugal: AGEFE 


Romania: ANIS, APDETIC 
Slovakia: ITAS 

Slovenia: GZS 

Spain: AMETIC 

Sweden: Foreningen 
Teknikföretagen i Sverige, 
IT&Telekomföretagen 
Switzerland: SWICO 
Turkey: Digital Turkey Platform, 
ECID 

Ukraine: IT UKRAINE 
United Kingdom: techUK 


